Recent Issue Headlines

According to the U.S. Supreme Court, historical cellphone records deserve more stringent protection than other customer information held by service providers. In Carpenter v. United States, the Court recently ruled that the collection of historical cell-site location information during a criminal investigation is subject to Fourth Amendment “search and seizure” protection and that the federal government generally needs a warrant to access such records. The decision may have been a victory for privacy advocates in theory, but what does it mean on the ground for government investigations and the companies that handle this and related data? This article analyzes the decision and its implications with insight from our experts. See also “How to Respond to Law Enforcement Demands for Geolocation Data and Data Stored Abroad” (Nov. 30, 2016).

Once the initial fervor over GDPR implementation dies down, companies will have to ensure that their program is properly maintained long-term. This final installment of our three-part GDPR series for the financial sector addresses how to monitor and assess the program and examines special considerations – such as determining the identity of controllers and processors and accounting for Member-State specificities. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. Part two detailed specific compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

Two recent surveys, one by IBM and the Ponemon Institute showing that the average total cost of a data breach is $3.86 million, and the second by Marsh & McLennan Agency revealing that most organizations do not know how to measure the cyber risk they face, seem to demonstrate a collective corporate sense of false security in an organization’s ability to handle a cyber incident. Seventy-eight percent of respondents to the MMA survey were fairly to highly confident their organization would be able to manage and respond to a cyber attack, but the IBM/Ponemon survey found it takes almost six months to identify an incident. The Cybersecurity Law Report takes a closer look at the results of these surveys and what they reveal about risk awareness and, perhaps, a certain measure of corporate torpor in addressing the likelihood of a data breach. See “Pillars of Effective Breach Detection, Response and Remediation” (Apr. 25, 2018).

Lewis Brisbois recently announced the addition of partner Simone McCormick in the firm’s data privacy & cybersecurity practice in Portland, Oregon. McCormick advises clients on best practices regarding data privacy compliance, data breach preparedness and response, risk assessment and specifically tailored policies and procedures. She also counsels businesses and individuals following data incidents, including in relation to forensics investigations. For more from Lewis Brisbois, see “How Financial Service Providers Can Use Cyber Insurance to Mitigate Risk” (Jun. 8, 2016).